Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 2014-08-22 at 01:16, Robert J. Hansen wrote: On 8/21/2014 3:35 PM, Johannes Zarl wrote: Compiling a collection of publicly available information is an almost perfect description of the term surveillance. E.g. a surveillance camera does exactly that: it collects publicly available information. So does the phone book, Wikipedia, and IMDB. We don't call them surveillance. The difference in the relation we have with information is who does it concern: when it concerns everybody (like Science, information about politics, events, Philosophy, Art, etc. what generally is what Wikipedia contains, aka “encyclopedic informations”), it should be shared among everyone, and not doing so is taking part in some kind of oppression (like stopping people from sharing a software); when it concerns only some people (like private information, one-to-one communication, etc.) it should be keep secret amoung the few people it concerns, otherwise it is also taking part in some kind of oppression (like surveilling, spying, controlling). That’s why we ask for more transparency from the powerfull and more privacy to the weak. When someone watch the tweets of some friends of some person discussing with some others, while not knowing and not being interested of it, even if it doesn’t concerns her, just to spy the person, it *is* surveillance. Though Twitter haven’t sophisticated privacy features like circles or groups, so it’s possible even if it’s not always a good thing. The same applies to IP. In this case, it does concern only the person owning the house what color is it, what is the model of door, of lock, of key and how to open it. So even if it’s “publicly available information” (like in Twitter, Facebook, or any potentially privacy-harmful social network) it shouldn’t be collected without hurting someone’s freedom, so here the usefulness of the GNU patch for it :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
email verification as casual checking?
Hi, to deal with faked keys, some guys had the idea to use email verification and let then certification servers take that as casual signing. For example: - Some guy might create a key using a mail client - That key is then automatically sent by the email client to a server, which can be used as key server - The key server sends a confirmation request to the email address(es) of the registered key - If the confirmation recipient confirms that he/she registered the key, the key server certifies this key as casual checked. THAT IS, the key server would automatically certify the correctness of the association between the key and the email address as casual signing. The big advantage would be to have a simple way to validate keys. The big disadvantage beside some details (such as registering additional email addresses) is probably that PGP signatures usually sign the owner, not his/her email address, if I understood it correctly. Although regarding signature types, we state in RFC4880: Please note that the vagueness of these meanings is not a flaw, but a feature of the system. But we could mark this kind of automatically certifying key server as special so that people (are able to) know what they do when they trust this key server and therefore its casual signed keys. What do you think about this idea? Was it ever discussed? -- Nicolai M. Josuttis www.josuttis.de PGP Fingerprint: EA25 EF48 BF20 01E4 1FAB 0C1C DEF9 FC80 8A1C 44D0 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: email verification as casual checking?
to deal with faked keys, some guys had the idea to use email verification and let then certification servers take that as casual signing. I think the first people to do this were at PGP Security (pre-PGP Corporation; this was when PGP Security was owned by Network Associates). The PGP Global Directory worked basically this way. The big disadvantage beside some details (such as registering additional email addresses) is probably that PGP signatures usually sign the owner, not his/her email address, if I understood it correctly. Not necessarily so. The RFCs define syntax for signatures, but not semantics. The semantics are left up to each individual user to determine. What do you think about this idea? Was it ever discussed? Not only was it discussed, it was implemented and ran for years. The Global Directory may still be running, for all I know. However, the Global Directory didn't really solve any of PGP's usability problems. Was it worth doing? Yes. Did it live up to the hopes people had for it? Not really. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: email verification as casual checking?
On 8/22/14 11:03 AM, Robert J. Hansen wrote: The Global Directory may still be running, for all I know. It is. I have my primary key there if for no other reason than because it gives me an LDAP server to play with. :) Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] Libgcrypt and GnuPG
On Mon, 11 Aug 2014 10:21:55 +0200 Werner Koch w...@gnupg.org wrote: On Sat, 9 Aug 2014 22:52, bra...@majic.rs said: Skimming through the description, does it mean that users with OpenPGP cards should be impervious to this attack? Can the attack be used to leak symmetric keys during the GnuPG operation? It is unlikely that this particular attack can be used against smart cards. They are quite different from a general purpose PC. Modern cards are designed to mitigate many classes of side-channel attacks since cards started to be targeted more than 25 years ago. The private keys are only on the card and not accessible from the PC. I should've been more specific with my question (or perhaps I misunderstood the answer a bit :) If I understand correctly (please do correct me if not), when encrypting/decrypting a file with GnuPG using an OpenPGP card, a symmetric key is created that will encrypt the file, and subsequently this symmetric key will be encrypted using the OpenPGP card, with the encrypted symmetric key becoming part of the encrypted file. This symmetric key is generated outside of the OpenPGP card (if I got it right), and encryption/decryption of a file itself is performed outside of the OpenPGP card (i.e. on host computer). Can the attack be used to obtain this symmetric key for encrypting the file during encryption/decryption operations performed by GnuPG? Best regards P.S. Sorry for the original lost quote, I'll try to keep 'em shorter :) -- Branko Majic Jabber: bra...@majic.rs Please use only Free formats when sending attachments to me. Бранко Мајић Џабер: bra...@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
++ 22/08/14 11:38 +0200 - Garreau, Alexandre: The difference in the relation we have with information is who does it concern: when it concerns everybody (like Science, information about politics, events, Philosophy, Art, etc. what generally is what Wikipedia contains, aka “encyclopedic informations”), it should be shared among everyone, and not doing so is taking part in some kind of oppression (like stopping people from sharing a software); when it concerns only [...] That's an interesting point of view - or there is some misunderstanding on my end. Let's say the NSA does not only surveil all kinds of communications as it does right now, but it also publishes this information (open data in governmental speak), then there is no oppression according to you? -- Rejo Zenger E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J r...@zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF pgptvL6RnRebe.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
Can I ask that the whole discussion of what is or is not surveillance be taken off line somewhere? It really doesn't matter what we call it, the interesting bit here is that we know all kinds of data are being collected by all kinds of folks. That leaves open the (IMO much more interesting) question of what we can DO to protect our communication channels. Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
Or, to put it another way: security through obscurity is ok. as long as no one finds out, or goes looking for, public information, everything's hidden well enough. Regards, Charlie 602.420.4123 -Original Message- From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Rejo Zenger Sent: Friday, August 22, 2014 12:14 PM To: gnupg-users@gnupg.org Subject: Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back ++ 22/08/14 11:38 +0200 - Garreau, Alexandre: The difference in the relation we have with information is who does it concern: when it concerns everybody (like Science, information about politics, events, Philosophy, Art, etc. what generally is what Wikipedia contains, aka “encyclopedic informations”), it should be shared among everyone, and not doing so is taking part in some kind of oppression (like stopping people from sharing a software); when it concerns only [...] That's an interesting point of view - or there is some misunderstanding on my end. Let's say the NSA does not only surveil all kinds of communications as it does right now, but it also publishes this information (open data in governmental speak), then there is no oppression according to you? -- Rejo Zenger E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl T @rejozenger | J r...@zenger.nl OpenPGP 1FBF 7B37 6537 68B1 2532 A4CB 0994 0946 21DB EFD4 XMPP OTR 271A 9186 AFBC 8124 18CF 4BE2 E000 E708 F811 5ACF ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: GNU hackers discover HACIENDA government surveillance and give us a way to fight back
On 2014-08-22 at 21:13, Rejo Zenger wrote: ++ 22/08/14 11:38 +0200 - Garreau, Alexandre: The difference in the relation we have with information is who does it concern: when it concerns everybody (like Science, information about politics, events, Philosophy, Art, etc. what generally is what Wikipedia contains, aka “encyclopedic informations”), it should be shared among everyone, and not doing so is taking part in some kind of oppression (like stopping people from sharing a software); when it concerns only […] That's an interesting point of view - or there is some misunderstanding on my end. Let's say the NSA does not only surveil all kinds of communications as it does right now, but it also publishes this information (open data in governmental speak), then there is no oppression according to you? I didn’t say it was related to what usage was made of information or to whom it was available but to *who it concerns*. Actually if you publish private information it changes nothing: it remains private information concerning only its initial possessor, and making other people acknowledge it is giving them power an harm to the freedom of one who has her privacy harmed. Open data and transparency should only be about what concerns everybody, like government actions, trains schedule, etc. not private information. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users